topic Re: restrict userid to execute FTP command only in Operating System - HP-UX

restrict userid to execute FTP command only

James Ellis_1 — Tue, 03 Feb 2004 15:12:09 GMT

I have the idea on how to do this, but I want to verify I got this right. I have a userid, lets call it jobftp, and is a member of group users.

I want to use this ID to manually execute ftp jobs from another server (Microsoft) to a HPUX server. To set this up, I would do this:

-in /etc/passwd, set the user's home directory to /bin/false
-in the /etc/shells directory, add /bin/false

A bit more information, the user will login using the jobftp ID, but the only command this user ID can execute is ftp.

Is this the best way to do this?

Thanks.

Re: restrict userid to execute FTP command only

Sridhar Bhaskarla — Tue, 03 Feb 2004 15:17:15 GMT

Hi,

Set him up with the shell '/usr/bin/rsh' and give him profile only to look at certain path. For ex., Create a directory /home/jobftp with .profile containing only the following line

PATH=/usr/restrict/bin

Change the ownership of this file to root:bin with only 400 permissions.

Copy /usr/bin/ftp into /usr/restrict/bin. Do not add anything to it.

Now the user, after logs in can only execute ftp command.

-Sri

Re: restrict userid to execute FTP command only

Patrick Wallek — Tue, 03 Feb 2004 15:17:48 GMT

The home dir should not be /bin/false, rather the users default shell (the LAST field on the line) should be /bin/false or /usr/bin/false.

Re: restrict userid to execute FTP command only

Sridhar Bhaskarla — Tue, 03 Feb 2004 15:21:12 GMT

Ahh.. I didn't quite read your message (yet another one).

If you make it /bin/false, then the user cannot login. So, the best way is to make the shell as /usr/bin/ftp and add /usr/bin/ftp to /etc/shells.

The user logs in and gets an ftp prompt. He|she will have to type "o systemname" etc.,etc

-Sri

Re: restrict userid to execute FTP command only

Steven E. Protter — Tue, 03 Feb 2004 15:56:09 GMT

Long term, you need to test the configuration yourself.

I would want things structured so the user is in a chroot jail. That means the user's home directory is root. Thats if you allow a telnet/ssh login at all, which you currrently are not doing.

The user can't cd up to the real root.

In this scenario the user may need an actual home directory thats in position to access the files you want the user to access.

Under your current setup the user can not log on with telnet. So the only way in or out is by ftp.

Other things to consider.

Why use ftp at all.

Authentication is clear text.

Why not use a Secure Shell which includes a secure ftp server for the server side.

You'll need a client for the Microsoft side and that will cost a few dollars.

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1471AA

SEP

Re: restrict userid to execute FTP command only

Dave La Mar — Tue, 03 Feb 2004 16:27:50 GMT

Attached is the HP doc, I have used, in pdf format.

Best of luck.

Regards,

dl

Re: restrict userid to execute FTP command only

James Ellis_1 — Thu, 05 Feb 2004 13:43:45 GMT

Still waiting to be able to edit the user's default shell path.

By the way, can the /etc/passwd file be edited directly?

Thanks.

Re: restrict userid to execute FTP command only

Sridhar Bhaskarla — Thu, 05 Feb 2004 13:46:18 GMT

James,

Now with "vi". YOu will need to use 'vipw' to edit the passwd file. It sets the appropriate locks so that another session won't change the password file simultaneiously.

YOu can also do a "chsh" command to change the shell. For ex.,

chsh jobftp "/usr/bin/ftp"

-Sri

Re: restrict userid to execute FTP command only

Sridhar Bhaskarla — Thu, 05 Feb 2004 13:47:26 GMT

Hmmm.. small correction. Please read "now" as "not" in the first line. My hand doesn't type what my brain says. Sorry.

Re: restrict userid to execute FTP command only

Dave La Mar — Fri, 06 Feb 2004 14:21:36 GMT

Sorry James, thought I had responded to this already.
Attached find the HP doc we have used for ftp only account setups.

Best of luck.

Best regards,

dl